Abstract: Anomalous control and data flow paths in a program are determined by machine learning the program's normal control flow paths and data flow paths. A subset of those paths also may be determined to involve sensitive data and/or computation. Learning involves collecting events as the program executes, and associating those event with metadata related to the flows. This information is used to train the system about normal paths versus anomalous paths, and sensitive paths versus non-sensitive paths. Training leads to development of a baseline “provenance” graph, which is evaluated to determine “sensitive” control or data flows in the “normal” operation. This process is enhanced by analyzing log data collected during runtime execution of the program against a policy to assign confidence values to the control and data flows. Using these confidence values, anomalous edges and/or paths with respect to the policy are identified to generate a “program execution” provenance graph associated with the policy.

Abstract: Managing passwords is provided. A machine training process is performed using a set of existing passwords to train a machine learning component. Members of a set of semantic categories are used to categorize respective passwords in the set of existing passwords. Password strengths corresponding to a set of candidate passwords are evaluated using the machine learning component. A resource is secured with a candidate password having a password strength greater than or equal to a defined password strength threshold level.

Abstract: A computer system extracts features of documents that mention malware programs to determine textual features that correspond to individual ones of the malware programs. The computer system performs analysis of samples of malware programs to determine features corresponding to the samples. The computer system performs clustering using the textual features and using the features that correspond to the samples of the malware programs. The clustering creates clusters of data points, each data point corresponding to an individual one of the malware programs. The clusters contain data points considered by the clustering to be similar. The computer system outputs indications of the clusters to allow determination of whether data points in the clusters correspond to individual ones of specific malwares. Apparatus, methods, and computer program products are disclosed.

Abstract: Anomalous control and data flow paths in a program are determined by machine learning the program's normal control flow paths and data flow paths. A subset of those paths also may be determined to involve sensitive data and/or computation. Learning involves collecting events as the program executes, and associating those event with metadata related to the flows. This information is used to train the system about normal paths versus anomalous paths, and sensitive paths versus non-sensitive paths. Training leads to development of a baseline “provenance” graph, which is evaluated to determine “sensitive” control or data flows in the “normal” operation. This process is enhanced by analyzing log data collected during runtime execution of the program against a policy to assign confidence values to the control and data flows. Using these confidence values, anomalous edges and/or paths with respect to the policy are identified to generate a “program execution” provenance graph associated with the policy.

Abstract: Mechanisms are provided to implement a single input, multi-factor authentication (SIMFA) system. The SIMFA system receives a user input for authenticating a user via a single input channel and provides the user input to first authentication logic of an explicit channel of the SIMFA system, where in the first authentication logic performs a knowledge authentication operation on the user input. The SIMFA system further provides the user input to second authentication logic of one or more side channels of the SIMFA system, where the second authentication logic performs authentication on non-knowledge-based characteristics of the user input. The SIMFA system combines results of the first authentication logic and the second authentication logic to generate a final determination of authenticity of the user. The SIMFA system generates an output indicating whether the user is an authentic user or a non-authentic user based on the final determination of authenticity of the user.

Abstract: Anomalous control and data flow paths in a program are determined by machine learning the program's normal control flow paths and data flow paths. A subset of those paths also may be determined to involve sensitive data and/or computation. Learning involves collecting events as the program executes, and associating those event with metadata related to the flows. This information is used to train the system about normal paths versus anomalous paths, and sensitive paths versus non-sensitive paths. Training leads to development of a baseline “provenance” graph, which is evaluated to determine “sensitive” control or data flows in the “normal” operation. This process is enhanced by analyzing log data collected during runtime execution of the program against a policy to assign confidence values to the control and data flows. Using these confidence values, anomalous edges and/or paths with respect to the policy are identified to generate a “program execution” provenance graph associated with the policy.

Abstract: A processor-implemented method improves security in a blockchain network of devices by protecting security, privacy and ownership assurance of identity assets, where the blockchain network of devices supports a blockchain. An identity asset provider device establishes co-ownership of an identity asset for an identity asset provider and an entity. The identity asset provider device directs a first member of the blockchain network of devices to associate identities of the identity asset provider and the entity based on their co-ownership of the identity asset by using commitments between the identity asset provider and the entity and based on collaborative proof of ownership of the identity asset using zero knowledge proofs in the blockchain network of devices.

Abstract: Jointly discovering user roles and data clusters using both access and side information by performing the following operation: (i) representing a set of users as respective vectors in a user feature space; representing data as respective vectors in a data feature space; (ii) providing a user-data access matrix, in which each row represents a user's access over the data; and (iii) co-clustering the users and data using the user-data matrix to produce a set of co-clusters.

Abstract: A processor-implemented method improves security in a blockchain network of devices, which supports a blockchain, by protecting security, privacy, financial fairness, and secure transfer of identity assets. An identity asset provider device creates an identity asset related to an entity. The identity asset provider also creates a provider key, which is composed of multiple bits, and which is needed to decrypt an encrypted version of the identity asset. The identity asset provider device transmits the provider key bit-by-bit to an identity asset consumer device. A price for the provider key depends on how many bits have been transmitted to the identity asset consumer device.

Abstract: Managing passwords is provided. A machine training process is performed using a set of existing passwords to train a machine learning component. Members of a set of semantic categories are used to categorize respective passwords in the set of existing passwords. Password strengths corresponding to a set of candidate passwords are evaluated using the machine learning component. A resource is secured with a candidate password having a password strength greater than or equal to a defined password strength threshold level.

Abstract: Advanced persistent threats to a mobile device are detected and prevented by leveraging the built-in mandatory access control (MAC) environment in the mobile operating system in a “stateful” manner. To this end, the MAC mechanism is placed in a permissive mode of operation wherein permission denials are logged but not enforced. The mobile device security environment is augmented to include a monitoring application that is instantiated with system privileges. The application monitors application execution parameters of one or more mobile applications executing on the device. These application execution parameters including, without limitation, the permission denials, are collected and used by the monitoring application to facilitate a stateful monitoring of the operating system security environment. By assembling security-sensitive events over a time period, the system identifies an advanced persistent threat (APT) that otherwise leverages multiple steps using benign components.

Abstract: Managing passwords is provided. A machine training process is performed using a set of existing passwords to train a machine learning component. Members of a set of semantic categories are used to categorize respective passwords in the set of existing passwords. Password strengths corresponding to a set of candidate passwords are evaluated using the machine learning component. A resource is secured with a candidate password having a password strength greater than or equal to a defined password strength threshold level.

Abstract: Mechanisms are provided to implement a single input, multi-factor authentication (SIMFA) system. The SIMFA system receives a user input for authenticating a user via a single input channel and provides the user input to first authentication logic of an explicit channel of the SIMFA system, where in the first authentication logic performs a knowledge authentication operation on the user input. The SIMFA system further provides the user input to second authentication logic of one or more side channels of the SIMFA system, where the second authentication logic performs authentication on non-knowledge-based characteristics of the user input. The SIMFA system combines results of the first authentication logic and the second authentication logic to generate a final determination of authenticity of the user. The SIMFA system generates an output indicating whether the user is an authentic user or a non-authentic user based on the final determination of authenticity of the user.

Abstract: Advanced persistent threats to a mobile device are detected and prevented by leveraging the built-in mandatory access control (MAC) environment in the mobile operating system in a “stateful” manner. To this end, the MAC mechanism is placed in a permissive mode of operation wherein permission denials are logged but not enforced. The mobile device security environment is augmented to include a monitoring application that is instantiated with system privileges. The application monitors application execution parameters of one or more mobile applications executing on the device. These application execution parameters including, without limitation, the permission denials, are collected and used by the monitoring application to facilitate a stateful monitoring of the operating system security environment. By assembling security-sensitive events over a time period, the system identifies an advanced persistent threat (APT) that otherwise leverages multiple steps using benign components.

Abstract: Detecting anomalous user behavior is provided. User activity is logged for a set of users. The user activity is divided into distinct time intervals. For each distinct time interval, logged user activity is converted to a numerical representation of each user's activities for that distinct time interval. A clustering process is used on the numerical representations of user activities to determine which users have similar activity patterns in each distinct time interval. A plurality of peer groups of users is generated based on determining the similar activity patterns in each distinct time interval. Anomalous user behavior is detected based on a user activity change in a respective peer group of users within a distinct time interval.

Abstract: Jointly discovering user roles and data clusters using both access and side information by performing the following operation: (i) representing a set of users as respective vectors in a user feature space; representing data as respective vectors in a data feature space; (ii) providing a user-data access matrix, in which each row represents a user's access over the data; and (iii) co-clustering the users and data using the user-data matrix to produce a set of co-clusters.

Abstract: A processor-implemented method improves security in a blockchain network of devices, which supports a blockchain, by protecting security, privacy, financial fairness, and secure transfer of identity assets. An identity asset provider device creates an identity asset related to an entity. The identity asset provider also creates a provider key, which is composed of multiple bits, and which is needed to decrypt an encrypted version of the identity asset. The identity asset provider device transmits the provider key bit-by-bit to an identity asset consumer device. A price for the provider key depends on how many bits have been transmitted to the identity asset consumer device.

Abstract: A processor-implemented method improves security in a blockchain network of devices by protecting security, privacy and ownership assurance of identity assets, where the blockchain network of devices supports a blockchain. An identity asset provider device establishes co-ownership of an identity asset for an identity asset provider and an entity. The identity asset provider device directs a first member of the blockchain network of devices to associate identities of the identity asset provider and the entity based on their co-ownership of the identity asset by using commitments between the identity asset provider and the entity and based on collaborative proof of ownership of the identity asset using zero knowledge proofs in the blockchain network of devices.

Abstract: Anomalous control and data flow paths in a program are determined by machine learning the program's normal control flow paths and data flow paths. A subset of those paths also may be determined to involve sensitive data and/or computation. Learning involves collecting events as the program executes, and associating those event with metadata related to the flows. This information is used to train the system about normal paths versus anomalous paths, and sensitive paths versus non-sensitive paths. Training leads to development of a baseline “provenance” graph, which is evaluated to determine “sensitive” control or data flows in the “normal” operation. This process is enhanced by analyzing log data collected during runtime execution of the program against a policy to assign confidence values to the control and data flows. Using these confidence values, anomalous edges and/or paths with respect to the policy are identified to generate a “program execution” provenance graph associated with the policy.

Abstract: A computer system extracts features of documents that mention malware programs to determine textual features that correspond to individual ones of the malware programs. The computer system performs analysis of samples of malware programs to determine features corresponding to the samples. The computer system performs clustering using the textual features and using the features that correspond to the samples of the malware programs. The clustering creates clusters of data points, each data point corresponding to an individual one of the malware programs. The clusters contain data points considered by the clustering to be similar. The computer system outputs indications of the clusters to allow determination of whether data points in the clusters correspond to individual ones of specific malwares. Apparatus, methods, and computer program products are disclosed.